|

Over 500 Scattered Spider Phishing Domains Discovered: What Every Industry Needs to Know Now

The digital underworld just got a lot more crowded—and a lot more dangerous. Over 500 suspected phishing domains, linked to the notorious Scattered Spider group, have been unearthed in a chilling sign that no industry is safe from their ever-evolving tactics. Whether you manage IT for a major airline, oversee security at a manufacturing firm, or simply want to keep your business (and your reputation) off a hacker’s radar, you need to know what sets Scattered Spider apart—and what you can do right now to defend your organization.

Let’s dive deep into how this collective is expanding its reach, what makes their attacks so effective, and the practical steps you can take today to reduce your risk.


Who Is Scattered Spider? The Emergence of a Cyber Threat Chameleon

If you’ve skimmed recent cybersecurity headlines, you’ve probably seen the name Scattered Spider repeatedly cropping up. But what makes this criminal group so uniquely dangerous?

Scattered Spider is a hacking collective known for its advanced social engineering, nimble tactics, and appetite for high-profile targets. In just the last year, they’ve orchestrated ransomware attacks that paralyzed major retailers, infiltrated airlines, and breached sensitive data across several sectors.

But here’s the kicker: Instead of sticking to one industry, Scattered Spider constantly adapts its focus—wherever they sniff out a high-value vulnerability, they strike. It’s like playing whack-a-mole with adversaries who never stay in the same lane.


500+ Phishing Domains: A Sign of Widespread Targeting

A Web of Deception

Check Point researchers recently uncovered a trove of over 500 suspected phishing domains believed to be built by, or for, Scattered Spider. While not all these domains have been confirmed as active attack vectors, their alignment with the group’s known naming conventions and tactics is a serious red flag.

Here’s why that matters: the sheer volume suggests Scattered Spider is scaling up operations—building infrastructure at a pace and breadth that signals intent to target a much wider range of industries.

Industries in the Crosshairs

Previously, Scattered Spider focused on:

  • Technology
  • Retail
  • Aviation

But with the latest domain registrations, researchers have found imitations of brands across:

  • Manufacturing firms
  • Medical technology companies
  • Financial services providers
  • Enterprise platforms (think SaaS and cloud service giants)

This isn’t random. It’s the hallmark of a group that’s opportunistic, sophisticated, and ready to pivot wherever the payout looks promising.

For more on how phishing domains work, see CISA’s Phishing Guidance.


Inside Scattered Spider’s Playbook: Advanced Social Engineering and MFA Bypass

The Art of Deception

Scattered Spider isn’t just registering lookalike domains and hoping you’ll click. They use advanced social engineering—think targeted phishing emails, phone impersonation (vishing), and even leveraging fake IT support personas.

Their favorite trick? Going after third-party IT providers—those often-overlooked supply chain partners who might have broad access to your systems but less robust security controls.

Let me explain why this is so effective:
By compromising a trusted vendor, attackers can “piggyback” into an organization’s infrastructure, bypassing many security controls and exploiting the inherent trust in supply chains.

Bypassing MFA: The Achilles’ Heel

Multi-factor authentication (MFA) is critical, but Scattered Spider has proven adept at circumventing it. They use:

  • Typosquatted domains: Slight mispellings of legitimate websites to trick users.
  • Phishing frameworks: Replicating login portals to harvest credentials.
  • Social engineering calls: Convincing users (or helpdesks) to reset passwords or approve MFA prompts.

Why does this matter?
Many organizations overestimate how much MFA alone can protect them—especially if attackers are creative enough to exploit human weaknesses.


Post-Compromise Tactics: What Happens After the Breach

Tools of the Trade—Both Legitimate and Malicious

Once inside, Scattered Spider doesn’t rest on its laurels. They operate like professional penetration testers—only their goal is theft and disruption, not security.

Common tools in their arsenal:

  • Remote Access Tools:
  • Legitimate software: TeamViewer, ScreenConnect, Splashtop
  • Abused to maintain stealthy, long-term access to compromised systems.

  • Credential Dumping Tools:

  • Malicious favorites: Mimikatz
  • Used to extract user credentials from memory and escalate privileges.

  • Infostealer Malware:

  • Examples: Raccoon Stealer, Vidar Stealer
  • Harvests data and sends it back to attackers.

  • Ransomware-as-a-Service (RaaS):

  • Scattered Spider has been linked to sophisticated RaaS platforms, including DragonForce, enabling them to launch devastating ransomware attacks without building all the infrastructure themselves.

Here’s the harsh truth:
Even if you detect the initial breach, the tools they use may look “normal” to your systems—making detection and response substantially harder.


Scattered Spider’s Recent Attacks: From Retail Giants to Global Airlines

Retail in the Line of Fire

In late April and early May 2025, Scattered Spider orchestrated ransomware attacks against some of the UK’s best-known retailers:

  • Marks & Spencer (M&S)
  • The Co-op
  • Harrods

These incidents resulted in significant financial loss, operational downtime, and, perhaps most damagingly, loss of customer trust.

Taking to the Skies: Airlines Under Attack

By June, Scattered Spider had widened its scope to the aviation sector. The FBI issued a warning that airlines were being actively targeted for both ransomware and data extortion attacks (see the FBI’s cybersecurity advisories).

Some of the high-profile victims include:

  • WestJet Airlines (Canada)
  • Hawaiian Airlines (US)
  • Qantas (Australia)

Qantas admitted that a “potential cybercriminal” contacted the company regarding a breach that may have exposed a vast trove of customer data.

Why does this matter to you?
These aren’t isolated events or “one-off” attacks. The pattern shows Scattered Spider is prepared to go after any sector where the impact—and the potential payday—are big enough.


How Scattered Spider Builds Its Phishing Infrastructure

The Anatomy of a Phishing Domain

Most phishing attacks start with a convincing fake website. Scattered Spider’s domains:

  • Closely mimic official company URLs (e.g., substituting a single character or using an alternate TLD like .co instead of .com).
  • Are often registered in clusters, targeting multiple brands simultaneously.
  • Sometimes use terms like “support,” “login,” “verify,” or “reset” in the URL to further trick visitors.

Example:
Instead of companyname.com, the phishing site might be companyrname.co or companyname-support.com.

For technical details on how typosquatting works, check out Krebs on Security’s analysis.

Scaling Up: Why Hundreds of Domains?

By registering hundreds of domains, Scattered Spider can:

  • Launch simultaneous attacks across many verticals.
  • Rotate domains to evade blacklists.
  • Test which industries or companies are most vulnerable.
  • Keep “fresh” infrastructure ready for future campaigns.

For defenders, this means the threat landscape is always changing. Staying ahead requires constant vigilance.


Defending Against Scattered Spider: Practical Steps for Every Organization

It’s easy to feel overwhelmed with cyber threats evolving so quickly. But the good news? There are clear, actionable steps you can take to reduce your risk.

1. Proactive Domain Monitoring

  • Continuously scan new domain registrations for lookalikes or typosquats that mimic your brand.
  • Use security services that automatically block or flag suspicious domains before users can access them.

2. Employee Training: Beyond the Basics

  • Run regular phishing simulations—including MFA abuse and vishing (voice phishing) scenarios.
  • Teach staff to recognize social engineering tactics, not just suspicious links.

3. Smarter MFA Solutions

  • Deploy adaptive MFA that incorporates behavioral analytics (e.g., location, device, login time).
  • Watch for MFA fatigue attacks where users are bombarded with approval requests.

4. Robust Endpoint Detection and Response (EDR)

  • Invest in EDR tools capable of spotting both known malware and unusual legitimate tool usage.
  • Hunt for signs of lateral movement inside your network.

5. Scrutinize Third-Party Providers

  • Audit the security maturity of vendors—especially call centers or IT providers with remote access.
  • Require layered verification for all password resets and MFA changes.

6. Layered Security for Password and MFA Support

  • Never allow password or MFA resets based on a single support request.
  • Require identity verification using multiple factors (e.g., callback numbers, one-time codes, supervisor approval).

Why Everyone—Not Just IT—Should Care

It’s tempting to think, “We’re not a bank, airline, or big retailer. Why would they target us?” But Scattered Spider’s shift toward cross-sector targeting proves that no organization is too small or obscure. If you handle valuable data, provide critical infrastructure, or simply have a digital presence, you could be on their radar.

Being “under the radar” isn’t security. Proactive defense is.


Frequently Asked Questions (FAQ)

What is Scattered Spider?

Scattered Spider is a sophisticated cybercriminal group known for its advanced social engineering skills and cross-industry cyberattacks, including phishing, ransomware, and data exfiltration.


What industries does Scattered Spider target?

Initially focused on technology, retail, and aviation, Scattered Spider now targets a wide range of industries, including manufacturing, healthcare, finance, and enterprise SaaS providers.


How does Scattered Spider bypass MFA?

They use techniques such as phishing for MFA codes, vishing (phone-based social engineering), and convincing helpdesks or users to reset credentials. They also deploy typosquatted domains to harvest credentials.


What should I do if I suspect my organization is being targeted?

  • Immediately review recent domain registrations for typosquats.
  • Notify your IT/security team and begin monitoring for unusual login attempts or access from unfamiliar remote tools.
  • Consider engaging with external cybersecurity experts or law enforcement.

Where can I find official guidance on defending against phishing and ransomware?


Key Takeaways: Stay Vigilant, Stay Resilient

The rise of Scattered Spider’s domain infrastructure is a stark reminder that cyber threats adapt fast—and so must we. Whether you’re in IT, HR, or the C-suite, understanding these tactics is the first step to building smarter defenses. Invest in proactive monitoring, empower your people with real-world training, and never underestimate the value of layered security.

Want to stay ahead of the latest cyber threats? Subscribe to our security insights or explore more articles on evolving attack tactics and defense strategies.

Remember: In cybersecurity, being informed is being prepared.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

Browse InnoVirtuoso for more!